On Sunday 14 March 2010 23:37:06 Scott McMurray wrote:
On 14 March 2010 15:21, Tom Brinkman <reportbase2007@gmail.com> wrote:
The printf style parameters is responsible for thousands and thousands of security vulnerabilities.
Just plain wrong.
Some evidence for your position would be good, since it's trivial to find documentation of holes from printf-style parameters: http://en.wikipedia.org/wiki/Format_string_attack
I don't think that's hole from printf-style parameters. By reading that page it's trivial to notice that it's the %n format specifier -- which actually writes something into program -- is the key component of attack. Clearly a printf-like function that does not support any way to modify program state is safe. Am I missing something? Thanks, Volodya